-start oidc

author: Phil <phil.buschmann@tum.de> 2017-12-04 15:13:06 +0000
committer: Phil <phil.buschmann@tum.de> 2017-12-04 15:13:06 +0000
commit: 514dd6f53cb735d0e48f35ddf92eae469c0abc8a (patch)
tree: d95be0a362c647f72818ece8c00bc5bc499d951f /src/identity-provider/plugin_rest_identity_provider.c
parent: 08ea93ee62022a31040e1f1e1b62cf4092c2331b (diff)
download: gnunet-514dd6f53cb735d0e48f35ddf92eae469c0abc8a.tar.gz
gnunet-514dd6f53cb735d0e48f35ddf92eae469c0abc8a.zip
1 files changed, 170 insertions, 1 deletions
diff --git a/src/identity-provider/plugin_rest_identity_provider.c b/src/identity-provider/plugin_rest_identity_provider.c
index f6039722f..ff28b592e 100644
--- a/src/identity-provider/plugin_rest_identity_provider.c
+++ b/src/identity-provider/plugin_rest_identity_provider.c
@@ -65,6 +65,12 @@
 #define GNUNET_REST_API_NS_IDENTITY_CONSUME "/idp/consume"
 /**
+ * Authorize namespace
+ */
+#define GNUNET_REST_API_NS_AUTHORIZE "/idp/authorize"
+/**
 * Attribute key
 */
 #define GNUNET_REST_JSONAPI_IDENTITY_ATTRIBUTE "attribute"
@@ -307,7 +313,7 @@ do_error (void *cls)
  char *json_error;
  GNUNET_asprintf (&json_error,
-                   "{Error while processing request: %s}",
+                   "{error : %s}",
                   handle->emsg);
  resp = GNUNET_REST_create_response (json_error);
  handle->proc (handle->proc_cls, resp, handle->response_code);
@@ -1012,6 +1018,167 @@ options_cont (struct GNUNET_REST_RequestHandle *con_handle,
 }
 /**
+ * Respond to OPTIONS request
+ *
+ * @param con_handle the connection handle
+ * @param url the url
+ * @param cls the RequestHandle
+ */
+static void
+authorize_cont (struct GNUNET_REST_RequestHandle *con_handle,
+              const char* url,
+              void *cls)
+{
+        //TODO clean up method
+//    The Authorization Server MUST validate all the OAuth 2.0 parameters according to the OAuth 2.0 specification.
+//    The Authorization Server MUST verify that all the REQUIRED parameters are present and their usage conforms to this specification.
+//    If the sub (subject) Claim is requested with a specific value for the ID Token, the Authorization Server MUST only send a positive response if the End-User identified by that sub value has an active session with the Authorization Server or has been Authenticated as a result of the request. The Authorization Server MUST NOT reply with an ID Token or Access Token for a different user, even if they have an active session with the Authorization Server. Such a request can be made either using an id_token_hint parameter or by requesting a specific Claim Value as described in Section 5.5.1, if the claims parameter is supported by the implementation.
+        struct MHD_Response *resp;
+        struct RequestHandle *handle = cls;
+        /*
+         *      response_type   0
+         *      client_id               1
+         *      scope                   2
+         *      redirect_uri    3
+         *      state                   4
+         *      nonce                   5
+         *      display                 6
+         *      prompt                  7
+         *      max_age                 8
+         *      ui_locales              9
+         *      response_mode   10
+         *      id_token_hint   11
+         *      login_hint              12
+         *      acr_values              13
+         */
+        char* array[] = { "response_type", "client_id", "scope", "redirect_uri",
+                        "state", "nonce", "display", "prompt", "max_age", "ui_locales",
+                        "response_mode", "id_token_hint","login_hint", "acr_values" };
+        int array_size=14;
+        int bool_array[array_size];
+        struct GNUNET_HashCode cache_key;
+        //iterates over each parameter and store used values in array array[]
+        int iterator;
+        for( iterator = 0; iterator<array_size; iterator++){
+                GNUNET_CRYPTO_hash (array[iterator], strlen (array[iterator]), &cache_key);
+                char* cache=GNUNET_CONTAINER_multihashmap_get(handle->rest_handle->url_param_map, &cache_key);
+                bool_array[iterator]=0;
+                if(cache!=0){
+                        size_t size=strlen(cache)+1;
+                        array[iterator]=(char*)malloc(size*sizeof(char));
+                        strncpy(array[iterator],cache,size);
+                        bool_array[iterator]=1;
+                }
+        }
+        //MUST validate all the OAuth 2.0 parameters & that all the REQUIRED parameters are present and their usage conforms to this specification
+        //required values: response_type, client_id, scope, redirect_uri
+        if(!bool_array[0] || !bool_array[1] || !bool_array[2] || !bool_array[3]){
+                handle->emsg=GNUNET_strdup("invalid_request");
+                handle->response_code = MHD_HTTP_INTERNAL_SERVER_ERROR;
+                GNUNET_SCHEDULER_add_now (&do_error, handle);
+                return;
+        }
+        //response_type = code
+        if(strcmp(array[0],"code")!=0){
+                handle->emsg=GNUNET_strdup("invalid_response_type");
+                handle->response_code = MHD_HTTP_INTERNAL_SERVER_ERROR;
+                GNUNET_SCHEDULER_add_now (&do_error, handle);
+                return;
+        }
+        //scope contains openid
+        if(strstr(array[2],"openid")==NULL){
+                handle->emsg=GNUNET_strdup("invalid_scope");
+                handle->response_code = MHD_HTTP_INTERNAL_SERVER_ERROR;
+                GNUNET_SCHEDULER_add_now (&do_error, handle);
+                return;
+        }
+        //TODO check other values and use them accordingly
+        char* redirect_url_to_login;
+//      if(){
+//
+//      }else{
+//
+//      }
+        if (GNUNET_OK == GNUNET_CONFIGURATION_get_value_string (cfg,
+                                                     "identity-rest-plugin",
+                                                     "address",
+                                                     &redirect_url_to_login)){
+                char* build_array[] = { "response_type", "client_id", "scope", "redirect_uri",
+                                        "state", "nonce", "display", "prompt", "max_age", "ui_locales",
+                                        "response_mode", "id_token_hint","login_hint", "acr_values" };
+                size_t redirect_parameter_size= strlen("?");
+                for(iterator=0;iterator<array_size;iterator++){
+                        if(bool_array[iterator]){
+                                redirect_parameter_size += strlen(array[iterator]);
+                                redirect_parameter_size += strlen(build_array[iterator]);
+                                if(iterator==array_size-1)
+                                {
+                                        redirect_parameter_size += strlen("=");
+                                }else{
+                                        redirect_parameter_size += strlen("=&");
+                                }
+                        }
+                }
+                char redirect_parameter[redirect_parameter_size+1];
+                redirect_parameter_size = 0;
+                redirect_parameter[redirect_parameter_size]='?';
+                for(iterator=0;iterator<array_size;iterator++){
+                        if(bool_array[iterator]){
+                                //If not last parameter
+                                if(iterator!=array_size-1)
+                                {
+                                        char cache[strlen(array[iterator])+strlen(build_array[iterator])+2+1];
+                                        snprintf(cache,sizeof(cache),"%s=%s&", build_array[iterator], array[iterator]);
+                                        strncat(redirect_parameter, cache, strlen(array[iterator])+strlen(build_array[iterator])+2 );
+                                }else{
+                                        char cache[strlen(array[iterator])+strlen(build_array[iterator])+1+1];
+                                        snprintf(cache,sizeof(cache),"%s=%s", build_array[iterator], array[iterator]);
+                                        strncat(redirect_parameter, cache, strlen(array[iterator])+strlen(build_array[iterator])+1 );
+                                }
+                        }
+                }
+                char redirect_component[strlen(redirect_url_to_login)+strlen(redirect_parameter)+1];
+                snprintf(redirect_component, sizeof(redirect_component), "%s%s", redirect_url_to_login, redirect_parameter);
+                resp = GNUNET_REST_create_response ("");
+                MHD_add_response_header (resp, "Location", redirect_component);
+         }else{
+                 handle->emsg=GNUNET_strdup("No server on localhost:8000");
+                 handle->response_code = MHD_HTTP_INTERNAL_SERVER_ERROR;
+                 GNUNET_SCHEDULER_add_now (&do_error, handle);
+                 return;
+//               resp = GNUNET_REST_create_response ("");
+//               MHD_add_response_header (resp, "Location", array[3]);
+         }
+        handle->proc (handle->proc_cls, resp, MHD_HTTP_FOUND);
+        cleanup_handle (handle);
+        for(iterator=0; iterator<array_size; iterator++){
+                if(bool_array[iterator]){
+                        free(array[iterator]);
+                }
+        }
+        return;
+}
+/**
 * Handle rest request
 *
 * @param handle the request handle
@@ -1024,6 +1191,8 @@ init_cont (struct RequestHandle *handle)
    {MHD_HTTP_METHOD_GET, GNUNET_REST_API_NS_IDENTITY_ATTRIBUTES, &list_attribute_cont},
    {MHD_HTTP_METHOD_POST, GNUNET_REST_API_NS_IDENTITY_ATTRIBUTES, &add_attribute_cont},
    {MHD_HTTP_METHOD_GET, GNUNET_REST_API_NS_IDENTITY_TICKETS, &list_tickets_cont},
+        {MHD_HTTP_METHOD_GET, GNUNET_REST_API_NS_AUTHORIZE, &authorize_cont},
+        {MHD_HTTP_METHOD_POST, GNUNET_REST_API_NS_AUTHORIZE, &authorize_cont},
    {MHD_HTTP_METHOD_POST, GNUNET_REST_API_NS_IDENTITY_REVOKE, &revoke_ticket_cont},
    {MHD_HTTP_METHOD_POST, GNUNET_REST_API_NS_IDENTITY_CONSUME, &consume_ticket_cont},
    {MHD_HTTP_METHOD_OPTIONS, GNUNET_REST_API_NS_IDENTITY_PROVIDER,
author	Phil <phil.buschmann@tum.de>	2017-12-04 15:13:06 +0000
committer	Phil <phil.buschmann@tum.de>	2017-12-04 15:13:06 +0000
commit	514dd6f53cb735d0e48f35ddf92eae469c0abc8a (patch)
tree	d95be0a362c647f72818ece8c00bc5bc499d951f /src/identity-provider/plugin_rest_identity_provider.c
parent	08ea93ee62022a31040e1f1e1b62cf4092c2331b (diff)
download	gnunet-514dd6f53cb735d0e48f35ddf92eae469c0abc8a.tar.gz gnunet-514dd6f53cb735d0e48f35ddf92eae469c0abc8a.zip

diff --git a/src/identity-provider/plugin_rest_identity_provider.c b/src/identity-provider/plugin_rest_identity_provider.c index f6039722f..ff28b592e 100644 --- a/src/identity-provider/plugin_rest_identity_provider.c +++ b/src/identity-provider/plugin_rest_identity_provider.c
@@ -65,6 +65,12 @@
65	#define GNUNET_REST_API_NS_IDENTITY_CONSUME "/idp/consume"	65	#define GNUNET_REST_API_NS_IDENTITY_CONSUME "/idp/consume"
66		66
67	/**	67	/**
		68	* Authorize namespace
		69	*/
		70	#define GNUNET_REST_API_NS_AUTHORIZE "/idp/authorize"
		71
		72
		73	/**
68	* Attribute key	74	* Attribute key
69	*/	75	*/
70	#define GNUNET_REST_JSONAPI_IDENTITY_ATTRIBUTE "attribute"	76	#define GNUNET_REST_JSONAPI_IDENTITY_ATTRIBUTE "attribute"
@@ -307,7 +313,7 @@ do_error (void *cls)
307	char *json_error;	313	char *json_error;
308		314
309	GNUNET_asprintf (&json_error,	315	GNUNET_asprintf (&json_error,
310	"{Error while processing request: %s}",	316	"{error : %s}",
311	handle->emsg);	317	handle->emsg);
312	resp = GNUNET_REST_create_response (json_error);	318	resp = GNUNET_REST_create_response (json_error);
313	handle->proc (handle->proc_cls, resp, handle->response_code);	319	handle->proc (handle->proc_cls, resp, handle->response_code);
@@ -1012,6 +1018,167 @@ options_cont (struct GNUNET_REST_RequestHandle *con_handle,
1012	}	1018	}
1013		1019
1014	/**	1020	/**
		1021	* Respond to OPTIONS request
		1022	*
		1023	* @param con_handle the connection handle
		1024	* @param url the url
		1025	* @param cls the RequestHandle
		1026	*/
		1027	static void
		1028	authorize_cont (struct GNUNET_REST_RequestHandle *con_handle,
		1029	const char* url,
		1030	void *cls)
		1031	{
		1032
		1033	//TODO clean up method
		1034
		1035
		1036	// The Authorization Server MUST validate all the OAuth 2.0 parameters according to the OAuth 2.0 specification.
		1037	// The Authorization Server MUST verify that all the REQUIRED parameters are present and their usage conforms to this specification.
		1038	// If the sub (subject) Claim is requested with a specific value for the ID Token, the Authorization Server MUST only send a positive response if the End-User identified by that sub value has an active session with the Authorization Server or has been Authenticated as a result of the request. The Authorization Server MUST NOT reply with an ID Token or Access Token for a different user, even if they have an active session with the Authorization Server. Such a request can be made either using an id_token_hint parameter or by requesting a specific Claim Value as described in Section 5.5.1, if the claims parameter is supported by the implementation.
		1039
		1040
		1041
		1042	struct MHD_Response *resp;
		1043	struct RequestHandle *handle = cls;
		1044
		1045	/*
		1046	* response_type 0
		1047	* client_id 1
		1048	* scope 2
		1049	* redirect_uri 3
		1050	* state 4
		1051	* nonce 5
		1052	* display 6
		1053	* prompt 7
		1054	* max_age 8
		1055	* ui_locales 9
		1056	* response_mode 10
		1057	* id_token_hint 11
		1058	* login_hint 12
		1059	* acr_values 13
		1060	*/
		1061	char* array[] = { "response_type", "client_id", "scope", "redirect_uri",
		1062	"state", "nonce", "display", "prompt", "max_age", "ui_locales",
		1063	"response_mode", "id_token_hint","login_hint", "acr_values" };
		1064	int array_size=14;
		1065	int bool_array[array_size];
		1066
		1067	struct GNUNET_HashCode cache_key;
		1068
		1069	//iterates over each parameter and store used values in array array[]
		1070	int iterator;
		1071	for( iterator = 0; iterator<array_size; iterator++){
		1072	GNUNET_CRYPTO_hash (array[iterator], strlen (array[iterator]), &cache_key);
		1073	char* cache=GNUNET_CONTAINER_multihashmap_get(handle->rest_handle->url_param_map, &cache_key);
		1074	bool_array[iterator]=0;
		1075	if(cache!=0){
		1076	size_t size=strlen(cache)+1;
		1077	array[iterator]=(char)malloc(sizesizeof(char));
		1078	strncpy(array[iterator],cache,size);
		1079	bool_array[iterator]=1;
		1080	}
		1081	}
		1082
		1083	//MUST validate all the OAuth 2.0 parameters & that all the REQUIRED parameters are present and their usage conforms to this specification
		1084
		1085	//required values: response_type, client_id, scope, redirect_uri
		1086	if(!bool_array[0] \|\| !bool_array[1] \|\| !bool_array[2] \|\| !bool_array[3]){
		1087	handle->emsg=GNUNET_strdup("invalid_request");
		1088	handle->response_code = MHD_HTTP_INTERNAL_SERVER_ERROR;
		1089	GNUNET_SCHEDULER_add_now (&do_error, handle);
		1090	return;
		1091	}
		1092	//response_type = code
		1093	if(strcmp(array[0],"code")!=0){
		1094	handle->emsg=GNUNET_strdup("invalid_response_type");
		1095	handle->response_code = MHD_HTTP_INTERNAL_SERVER_ERROR;
		1096	GNUNET_SCHEDULER_add_now (&do_error, handle);
		1097	return;
		1098	}
		1099	//scope contains openid
		1100	if(strstr(array[2],"openid")==NULL){
		1101	handle->emsg=GNUNET_strdup("invalid_scope");
		1102	handle->response_code = MHD_HTTP_INTERNAL_SERVER_ERROR;
		1103	GNUNET_SCHEDULER_add_now (&do_error, handle);
		1104	return;
		1105	}
		1106
		1107	//TODO check other values and use them accordingly
		1108
		1109
		1110	char* redirect_url_to_login;
		1111
		1112	// if(){
		1113	//
		1114	// }else{
		1115	//
		1116	// }
		1117	if (GNUNET_OK == GNUNET_CONFIGURATION_get_value_string (cfg,
		1118	"identity-rest-plugin",
		1119	"address",
		1120	&redirect_url_to_login)){
		1121
		1122	char* build_array[] = { "response_type", "client_id", "scope", "redirect_uri",
		1123	"state", "nonce", "display", "prompt", "max_age", "ui_locales",
		1124	"response_mode", "id_token_hint","login_hint", "acr_values" };
		1125
		1126	size_t redirect_parameter_size= strlen("?");
		1127	for(iterator=0;iterator<array_size;iterator++){
		1128	if(bool_array[iterator]){
		1129	redirect_parameter_size += strlen(array[iterator]);
		1130	redirect_parameter_size += strlen(build_array[iterator]);
		1131	if(iterator==array_size-1)
		1132	{
		1133	redirect_parameter_size += strlen("=");
		1134	}else{
		1135	redirect_parameter_size += strlen("=&");
		1136	}
		1137	}
		1138	}
		1139
		1140	char redirect_parameter[redirect_parameter_size+1];
		1141	redirect_parameter_size = 0;
		1142	redirect_parameter[redirect_parameter_size]='?';
		1143	for(iterator=0;iterator<array_size;iterator++){
		1144	if(bool_array[iterator]){
		1145	//If not last parameter
		1146	if(iterator!=array_size-1)
		1147	{
		1148	char cache[strlen(array[iterator])+strlen(build_array[iterator])+2+1];
		1149	snprintf(cache,sizeof(cache),"%s=%s&", build_array[iterator], array[iterator]);
		1150	strncat(redirect_parameter, cache, strlen(array[iterator])+strlen(build_array[iterator])+2 );
		1151	}else{
		1152	char cache[strlen(array[iterator])+strlen(build_array[iterator])+1+1];
		1153	snprintf(cache,sizeof(cache),"%s=%s", build_array[iterator], array[iterator]);
		1154	strncat(redirect_parameter, cache, strlen(array[iterator])+strlen(build_array[iterator])+1 );
		1155	}
		1156	}
		1157	}
		1158	char redirect_component[strlen(redirect_url_to_login)+strlen(redirect_parameter)+1];
		1159	snprintf(redirect_component, sizeof(redirect_component), "%s%s", redirect_url_to_login, redirect_parameter);
		1160	resp = GNUNET_REST_create_response ("");
		1161	MHD_add_response_header (resp, "Location", redirect_component);
		1162	}else{
		1163	handle->emsg=GNUNET_strdup("No server on localhost:8000");
		1164	handle->response_code = MHD_HTTP_INTERNAL_SERVER_ERROR;
		1165	GNUNET_SCHEDULER_add_now (&do_error, handle);
		1166	return;
		1167	// resp = GNUNET_REST_create_response ("");
		1168	// MHD_add_response_header (resp, "Location", array[3]);
		1169	}
		1170
		1171	handle->proc (handle->proc_cls, resp, MHD_HTTP_FOUND);
		1172	cleanup_handle (handle);
		1173	for(iterator=0; iterator<array_size; iterator++){
		1174	if(bool_array[iterator]){
		1175	free(array[iterator]);
		1176	}
		1177	}
		1178	return;
		1179	}
		1180
		1181	/**
1015	* Handle rest request	1182	* Handle rest request
1016	*	1183	*
1017	* @param handle the request handle	1184	* @param handle the request handle
@@ -1024,6 +1191,8 @@ init_cont (struct RequestHandle *handle)
1024	{MHD_HTTP_METHOD_GET, GNUNET_REST_API_NS_IDENTITY_ATTRIBUTES, &list_attribute_cont},	1191	{MHD_HTTP_METHOD_GET, GNUNET_REST_API_NS_IDENTITY_ATTRIBUTES, &list_attribute_cont},
1025	{MHD_HTTP_METHOD_POST, GNUNET_REST_API_NS_IDENTITY_ATTRIBUTES, &add_attribute_cont},	1192	{MHD_HTTP_METHOD_POST, GNUNET_REST_API_NS_IDENTITY_ATTRIBUTES, &add_attribute_cont},
1026	{MHD_HTTP_METHOD_GET, GNUNET_REST_API_NS_IDENTITY_TICKETS, &list_tickets_cont},	1193	{MHD_HTTP_METHOD_GET, GNUNET_REST_API_NS_IDENTITY_TICKETS, &list_tickets_cont},
		1194	{MHD_HTTP_METHOD_GET, GNUNET_REST_API_NS_AUTHORIZE, &authorize_cont},
		1195	{MHD_HTTP_METHOD_POST, GNUNET_REST_API_NS_AUTHORIZE, &authorize_cont},
1027	{MHD_HTTP_METHOD_POST, GNUNET_REST_API_NS_IDENTITY_REVOKE, &revoke_ticket_cont},	1196	{MHD_HTTP_METHOD_POST, GNUNET_REST_API_NS_IDENTITY_REVOKE, &revoke_ticket_cont},
1028	{MHD_HTTP_METHOD_POST, GNUNET_REST_API_NS_IDENTITY_CONSUME, &consume_ticket_cont},	1197	{MHD_HTTP_METHOD_POST, GNUNET_REST_API_NS_IDENTITY_CONSUME, &consume_ticket_cont},
1029	{MHD_HTTP_METHOD_OPTIONS, GNUNET_REST_API_NS_IDENTITY_PROVIDER,	1198	{MHD_HTTP_METHOD_OPTIONS, GNUNET_REST_API_NS_IDENTITY_PROVIDER,